From patchwork Wed Oct  6 06:00:49 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Soft Works <softworkz@hotmail.com>
X-Patchwork-Id: 30921
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a6b:6506:0:0:0:0:0 with SMTP id z6csp54536iob;
        Tue, 5 Oct 2021 23:01:06 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJwsiGjuJYjcGP0Y08rgdkl0WRAQycFtv1aKXUH90m/STxwbRvz3hVzOgz9C5M0oWP3GoSNK
X-Received: by 2002:a50:bf07:: with SMTP id f7mr32025741edk.288.1633500065928;
        Tue, 05 Oct 2021 23:01:05 -0700 (PDT)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 j1si17500080ejm.506.2021.10.05.23.01.04;
        Tue, 05 Oct 2021 23:01:05 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@hotmail.com
 header.s=selector1 header.b=ZIup7B3Z;
       arc=fail (body hash mismatch);
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hotmail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 6771E68A9FC;
	Wed,  6 Oct 2021 09:01:00 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from NAM11-DM6-obe.outbound.protection.outlook.com
 (mail-dm6nam11olkn2084.outbound.protection.outlook.com [40.92.19.84])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0ABBF68812E
 for <ffmpeg-devel@ffmpeg.org>; Wed,  6 Oct 2021 09:00:52 +0300 (EEST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=J3t9nkx5QlIXmF8g577Y4/fzVgWBKE5ay0nGTIZoP3WIHkqdTw6jUDMMwIAHYVC8FMSMMDU+AgIJLWmnAy6IbYg/Hk6tLyIG8/jKZ7lGpj8BuqNOWNXPo3LDQgActfTYCjnm8xkIrj+poUAO8MSIIA+8ruWRLylNW/vIetEQtu3QzqHAICVlobDxQNYwNhIB70bpgBjnYOoc9Id89UXWnb4yMcA3uXpHWmsv+Npx/L+9NK2gihrhkQXn02mKyE7qBplAOGxzADFUmi4+97Gkiget7XB4lhXZJlwKtldo+ZdJ35kgyQgovOCLtzhMtyAzO9vQCfI66kgjgJTwN4RS3g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=lMBaZfgYofJC8CSKB4cn3MrUIecONBNKfZ9712zhPLg=;
 b=ge9I5zCAPNUzW6jcrlucVCspZtXhQXyv8TRs1yiKMXIC/64FRDa/ZOVh7H93hCXLH5mK7tS14BBhrwIgvSLMUDooDJmFR7LmuBbiwCBn0UvzWwHh+9JrEOjoiwNQSu8iKOFqxkTh9JTC5U+0eOXEkgIyt8/8cMM08c5tEaIfkU0ikmg8ThL6z/0UIV6o1tbJ8NDnx+KkTgZywuUvPQ+fiSdd9caWb9djjtDUysqULBxfQIOEcMGFLLevMEHFbTX3L0SGdBU2CZnAjMvRMYmPVtybTGzwX+lq9ztoaTRPlKGKDLwRrlHDN0LtrVNAjSJUMHKR9hsghRtmcKtrUCoxgw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=lMBaZfgYofJC8CSKB4cn3MrUIecONBNKfZ9712zhPLg=;
 b=ZIup7B3Zr+8yS1LBP76wQaE7mRICY25y6lTl+XHo+i+wUDxMsmQJgGgm9BybdLb6+X9c6NtRRhWoPhltmsfmjhEHv2mKt+nibNb+cbMaGH5o9GX/tFV/GBEvkQLyMJMUw9+/ZTqDAFdRuJFZkNO1NjFo1sSN1F1XPWrZKk9lL/g9TTkqTnAU8XefSfqV2JGZR31HFROtFe93AogyET67RjrhL/PknpAlD/6JBLxSuDDdIsH+qwwIQZqKV1z01hd56Kb2iQFi3xQt2k4ExHv+6NJZWWg1QIY1eLPMUlgh5kBkkjUPVFtgMi+SvPTnmboi+1wYLSNkNeeWHVHDz2UZYw==
Received: from MN2PR04MB5981.namprd04.prod.outlook.com (2603:10b6:208:da::10)
 by MN2PR04MB6253.namprd04.prod.outlook.com (2603:10b6:208:d9::10)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4566.13; Wed, 6 Oct
 2021 06:00:49 +0000
Received: from MN2PR04MB5981.namprd04.prod.outlook.com
 ([fe80::ecfe:2528:2012:22cb]) by MN2PR04MB5981.namprd04.prod.outlook.com
 ([fe80::ecfe:2528:2012:22cb%5]) with mapi id 15.20.4566.022; Wed, 6 Oct 2021
 06:00:49 +0000
From: Soft Works <softworkz@hotmail.com>
To: "ffmpeg-devel@ffmpeg.org" <ffmpeg-devel@ffmpeg.org>
Thread-Topic: [PATCH v6 01/11] libavformat/asf: Fix handling of byte array
 length values
Thread-Index: AQKUuelGysaiverbZdmESUJxKhLX8gEhLYwH
Date: Wed, 6 Oct 2021 06:00:49 +0000
Message-ID: 
 <MN2PR04MB5981E552E7ACE5534082EA03BAB09@MN2PR04MB5981.namprd04.prod.outlook.com>
References: <cover.1633499980.git.softworkz@hotmail.com>
In-Reply-To: <cover.1633499980.git.softworkz@hotmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [85IRBL5FxeqMPZqnll1Gv8nr6eYAI8g1]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f2fc248c-5d77-4ece-c2aa-08d9888ea594
x-ms-traffictypediagnostic: MN2PR04MB6253:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 
 IZjoOqwbITkVUtcPAHZLC8OFIysw8TB08+2glEBcmhIcDnAq6TjQnhNTjqVfwT779NRrFL54f8JXZUcjXlHI1Wj2Evuma1N4FoLyoS3rwRKhMkJZ9IOnMM+rqj02K+B4SIZWAwNoHxZFFZb5Aqefe31P800K0nQAHnG3wwv7ZJhvqqWK0rJi0CDZG2DXUpzKkaNaIlZPf0DyWV0TVbmw/itJrNpcYWt9enWM9eYzrDuujFk80KYy0oQIUOublOashGSWSq10t7aw+ek1FmWqJjOrEWPNRZTWzEWqceX8tuGTKPQLmhG/Zt9ycumgzYOpz59gjnIlnuhxMDVUVeGNlpr2h4qr7RhYKONuKmY4LzcW1cClWYQXA3K2JtyDM0HBWNAYH6uJg3diW/DLXGenrWZI1siqxni3WK98cVLA0LPX0wKNkJDMCmY/LXHc1W3i
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 
 MPTAPAJtv2ehEmJ/sz0EkMUOdm4jm1BEqlBvRmwcbbSZvCvQ0H8WGTm9bhm/obvQyjdBjcVRwiYt0Xvj02J+9C+V5+wDJFgZilKfdXu8wVSoek6HCrovWF9b+6IppBCIwj/U1JTmA1YzjDiOk+9kyw==
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-3174-20-msonline-outlook-529c7.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR04MB5981.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 
 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 f2fc248c-5d77-4ece-c2aa-08d9888ea594
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Oct 2021 06:00:49.3539 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 
 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR04MB6253
Subject: [FFmpeg-devel] [PATCH v6 01/11] libavformat/asf: Fix handling of
 byte array length values
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: 4lbrTydHHSsU

The spec allows attachment sizes of up to UINT32_MAX while
we can handle only sizes up to INT32_MAX (in downstream
code).

The debug.assert in get_tag didn't really address this,
and truncating the value_len in calling methods cannot
be used because the length value is required in order to
continue parsing. This adds a check with log message in
ff_asf_handle_byte_array to handle those (rare) cases.

Signed-off-by: softworkz <softworkz@hotmail.com>
---
 libavformat/asf.c | 12 +++++++++---
 libavformat/asf.h |  2 +-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/libavformat/asf.c b/libavformat/asf.c
index 1ac8b5f078..179b66a2b4 100644
--- a/libavformat/asf.c
+++ b/libavformat/asf.c
@@ -267,12 +267,18 @@ static int get_id3_tag(AVFormatContext *s, int len)
 }
 
 int ff_asf_handle_byte_array(AVFormatContext *s, const char *name,
-                             int val_len)
+                             uint32_t val_len)
 {
+    if (val_len > INT32_MAX) {
+        av_log(s, AV_LOG_VERBOSE, "Unable to handle byte arrays > INT32_MAX  in tag %s.\n", name);
+        return 1;
+    }
+
     if (!strcmp(name, "WM/Picture")) // handle cover art
-        return asf_read_picture(s, val_len);
+        return asf_read_picture(s, (int)val_len);
     else if (!strcmp(name, "ID3")) // handle ID3 tag
-        return get_id3_tag(s, val_len);
+        return get_id3_tag(s, (int)val_len);
 
+    av_log(s, AV_LOG_VERBOSE, "Unsupported byte array in tag %s.\n", name);
     return 1;
 }
diff --git a/libavformat/asf.h b/libavformat/asf.h
index 01cc4f7a46..4d28560f56 100644
--- a/libavformat/asf.h
+++ b/libavformat/asf.h
@@ -111,7 +111,7 @@ extern const AVMetadataConv ff_asf_metadata_conv[];
  *         is unsupported by this function and 0 otherwise.
  */
 int ff_asf_handle_byte_array(AVFormatContext *s, const char *name,
-                             int val_len);
+                             uint32_t val_len);
 
 
 #define ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT 0x80 //1000 0000